We are using a self-signed certificate in our application & want to use HSTS header for added security. We access our application using ip or hostname.
I found that for HSTS to work,
- no certificate errors must be there (installed self-signed certificate in browser)
- access with hostname
- at least once our application needs to be accessed using https before HSTS starts working.
On doing this, I was able to make HSTS work in chrome (saw 307 response when accessed with http). But HSTS is not working with IE. I am getting 301 redirect (we have configured a reverse proxy which will redirect http to https). I want to make redirection work due to HSTS. any idea what i am missing!